Popular White Paper On This Topic

It's one of the more interesting Catch-22's, getting started. The thing
to remember is that to be able to test for the CISSP you need 3 years
experience in ONE of the ten domains. Your position doesn't have to be
a strictly security position but a position where security in one of
those ten domains is a significant part of your duties.

In my case, I worked as a tech doing help desk support for a company
providing proprietary software. In addition to doing my help desk
duties (and actually, part of performing them) was to be able to assist
customers in understanding security best practices in order to keep the
proprietary system they had purchased from us secure and to make it work
properly with Microsoft's server OS's while ensuring that all the data
integrity was enforced and information remained available and
confidential. I also worked with the QA department, reproducing what
the customers told us from the field and using that to "break" the
software and help QA and Development isolate those problems so they
could be patched. Those were just a few of the security related things
that I did working in one or two of the ten domains.
And, I studied like crazy. Once I started in that direction, I also
went back to school to get my degree in comp sci with emphasis on
Information systems security. Between the cert and the degree plus x
number of years in the industry doing what I had been doing (and
additional certs along the way) I started getting calls on my resume.

Effective 1 October 2007, the minimum experience requirement for
certification will be five years of relevant work experience in two or more

of the 10 domains of the CISSP CBK(R), a taxonomy of information security

topics recognized by professionals worldwide, or four years of work
experience with an applicable college degree or a credential from the
(ISC)²-approved list. Currently, CISSP candidates are required to have fo
ur
years of work experience or three years of experience with an applicable
college degree or a credential from the (ISC)²-approved list, in *one* or

more of the 10 domains of the CISSP CBK.

Also effective 1 October, CISSP candidates will be required to obtain an
endorsement of their candidature exclusively from an (ISC)²-certified
professional in good standing. Currently, candidates can be endorsed by an

officer from the candidate's organization if no CISSP endorsement can be
obtained. The professional endorsing the candidate can hold any (ISC)² ba
se
certification – CISSP, Systems Security Certified Practitioner (SSCP(R))
or
Certification and Accreditation Professional (CAPCM).

Criticisms of the CISSP examination
Some critics have raised the issues below concerning the CISSP examination,
its contents, and its processes.
The CISSP exam questions are difficult and unfair. The fact that there is s
o much knowledge crammed in a 250 question test makes the exam extremely di
fficult to pass in the time allotted, especially the questions and cases ar
e not always straight forward enough to understand.
Critics say questions assume too much technical knowledge, requiring extens
ive knowledge of formulas, focus on obscure facts, or involve complex calcu
lations.
Critics say the CISSP exam covers information security topics "a mile wide,
and an inch deep"[10] meaning the test has insufficient depth.
The exam sometimes includes outdated information. Critics say that although
organizations still use legacy technology, the exam should focus only on c
urrent technologies.
Some questions on CISSP tests and information in the CBK® may be technica
lly inaccurate or incomplete.
The exam questions are US / Canada centric and even unique American sources
like the Orange Book are included. ISC have a policy of not employing non-
USA staff which doesn't help.[citation needed]
The CISSP test is formulated so that candidates are asked to choose the bes
t answer from among a group of correct answers. Some feel these are "trick"
questions that unnecessarily distract capable candidates.

I have no Computer Degree or Certification and I do not want them, the
y a waste of time.
Hack into their Network and get some patch's on so you can get into and ou
t of their Network they will hire you real quit to fix it.

And yet:
No other cert or degree on my resume is as likely to get me a call from
a recruiter or an interview with a potential employer. The degree of
difficulty in obtaining the cert makes employers look at it more
seriously, it seems.
And, you miss the main reason why many people let their CISSP lapse:
For those of us working in the industry working full time and often
trying to keep up on all the new vulnerabilities and information in an
already fast-moving field, the requirement to continue learning is
slanted toward purchasing additional coursework through (ISC)2.

The CISSP has value in both it's breadth and depth. It does ask hard
questions in each domain and that is good. It also requires you to think
about alternatives and select the best answer on based on the
information they give you. All valuable in the security industry. I
teach the CISSP at a local community college and encourage the students
to identify their weak areas and then focus their efforts on those.
Typically students are strong in 2-3 areas and ok in 3-4 and weak in
3-4. It serves to broaden their perspectives and give them exposure to
the other areas that they need to think about as they work to protect
their assets from the bad guys. And, by the way, you are one of those we
protect against. You will be more likely have a cybercop on your
doorstep that a job offer if you hack into someone's network with out
permission. I find that degrees, certifications and experience all
contribute to a better career in the security field. Right now the
biggest two failings of those aspiring to CISO jobs are the ability to
communicate to the Board in terms they understand and the ability to
understand the business you are securing. It is the business that gives
you a reason to have a job.
R/ Vern

well onces more the thin line has being reached, how does he thinks to get
away with it, it is called SECURITY for a good reason, to prevent this, so
/Gill/ U have all the reasons to react/act like this, I join your opinion..
thinking bad is one thing, doing it another, learn the stuff, fill-out the
exam and get it over with. win or loose - E=MC2

Well, I have been in IT Security for over 10 years; I tried the CISSP exam twice and failed because of a language barrier. I am French and the questions are very tricky and some sentence are so obscure (words I never heard before) that it confused me. I am a very logical person and so far no success with this exam. I pass the ITIL certification last year and what I like about that exam is that it provided a French and English version of the exam. That was very cool.
I do believe the CISSP is a good certification, but it does not mean you know your stuff.

Most job postings are going to set the bar high in terms of experience. That does not mean that they won't consider a candidate with less experience though. If you know your stuff and can prove it to them then you have a good shot at a position. The CISSP really won't help you get an entry level job. It's not geared towards that and any company that wants a CISSP for an entry level position doesn't know what they really are looking for. The experience requirements alone for the CISSP would negate it being an entry level position. You need to determine exactly what it is you want to do in security, focus on that and keep learning.
The hardest thing about getting the CISSP is just the sheer amount of knowledge that is covered on the test. Attempting it w/o a basic understanding of security principles and a pretty in depth understanding of 3 or 4 domains puts you at a disadvantage. You need to understand what you know and then focus your study on the areas that you don't know well. If you have to focus hard on all 10 domains then you are facing an up hill battle. If you are good at memorizing you might pass but once you get a job that requires a CISSP you may find yourself in a bind because many companies expect their CISSP's to know their stuff and not just part of it.

I work for one of the big security vendors. Our focus is hiring people who can add value to our customers by providing support for our products as well as giving them the needed education of how vulns work and ways of preventing/protecting them from them. Certifications are nice but are in no way the deciding factor for employment. It has been my experience that a company who hires strictly on certifications or who puts a great emphasis on them is at the very least misguided and probably more to the point badly managed.

I have to disagree on the CPE issue. Getting them is now easier than ever. You can submit security related podcasts that you listen to, vendor lunches that have talks and demos, webinars, reading security books and writing a review, etc.. I've found it much easier than I thought it would be to earn CPE's.
I do agree that ISC2 pushes their products for us to buy. In my opinion they need to focus less on selling us stuff and more on giving us real tools and resources that we can use to grow. I mean what do we pay yearly dues for?

This is good advice. I didn't start in the help desk, but I did start out on the database side. I built and maintained some large databases and worked a great deal with access controls and a little bit with encryption. In time, the scope of my job grew and I was able to look at the business process involved with getting data in and out of the databases, which included a little physical security, a little process engineering, etc. As my career developed, I took on other roles and, knowing that I had a strong interest in security, always maintained a sharp focus on the security aspects of the job. As my positions allowed, I'd delegate some of the non-security stuff to other staff to focus on the security problems. By the time I took a position "in security", I already had 7+ years experience working with security in a variety of environments. Now, I'm in a position where I'm required to truly apply my knowledge from all the security domains to my job. Not all at the same time, but each project has a little bit of everything -- database encryption and firewalls to paper on a desk and locks on the door. I love what I do, but I wouldn't be as well-rounded if I had just landed in a "security job" right away.

I agree with you, the language in some of the CISSP test questions is overly difficult to understand and I believe the certification is not as valuable as practical experience.
Cryptology is part of the test, but I did not think one would have to decrypt some of the questions to pass. ;-)
Be careful, I think I read one can only take it 3 times. Is that right?
Mike

Another thing to remember about CISSP is that it really is a "management level" exam. It is not very technical in nature. I found Security+ to be more directly applicable to the technical level jobs (sys admin, security admin, etc). CISSP is meant for those security managers who can then be smart enough to translate the tech-speak into items the CIO and CEO type folks can understand.
As for hiring - the US DoD now has the 8570.1-M policy in place. This mandates that ALL personnel who conduct "IA-type" duties in their work need to be certified in both commercial IA certs and in the OS they manage. The tech level certs approved are A+, Net+, Sec+, and the associated GIAC certs. The management types must eventually get CISSP, CISM, or the GIAC leadership certificate (can't remember it's name off hand).
Bottom line is a resume doesn't get you a job - it only gets you an interview, and it is in the interview that you make or break yourself. Certs are similar; having the alphabet soup is great for the resume, but won't get you through a good interview.

Being able to translate the US-centric questions into clear English. ISC2 do not understand the difference between "which" and "what", and I would say the general reading age for the questions was sub-ten year old, which is pretty poor when you consider that this is supposed to be a management exam.

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.